hyperlane-xyz · paulbalaji · Jan 16, 2026 · Jan 16, 2026 · Jan 16, 2026 · Jan 16, 2026
@@ -0,0 +1,42 @@
+---
+name: claude-review
+description: Review code changes using Hyperlane Warp UI coding standards. Use when reviewing PRs, checking your own changes, or doing self-review before committing.
+---
+
+# Code Review Skill
+
+Use this skill to review code changes against Hyperlane Warp UI standards.
+
+## When to Use
+
+- Before committing changes (self-review)
+- When asked to review a PR or diff
+- To check if changes follow project patterns
+
+## Instructions
+
+Read and apply the guidelines from `.github/prompts/code-review.md` to review the code changes.
+
+### For PR Reviews
+
+When reviewing a PR, deliver feedback using `/inline-pr-comments` to post inline comments on specific lines.
+
+**Delivery format:**
+
+1. **Inline comments** - For all issues on lines IN the diff
+2. **Summary body** - For:
+   - Overall assessment
+   - Architecture concerns
+   - Issues found OUTSIDE the diff (use "## Observations Outside This PR" section)
+
+GitHub API limitation: Can only post inline comments on changed lines. Issues in unchanged code go in the summary body.
+
+### For Self-Review
+
+When reviewing your own changes before committing:
+
+1. Run `git diff` to see changes
+2. Apply the code review guidelines
+3. Fix issues directly rather than commenting
+
+Security issues should use `/claude-security-review` instead.
@@ -0,0 +1,25 @@
+---
+name: claude-security-review
+description: Security-focused review for frontend/Web3 code. Use for XSS, wallet security, CSP, and dependency checks.
+---
+
+# Security Review Skill
+
+Use this skill for security-focused code review of frontend Web3 code.
+
+## When to Use
+
+- Reviewing wallet integration code
+- Checking for XSS vulnerabilities
+- CSP header changes
+- Dependency updates
+
+## Instructions
+
+Read and apply the security guidelines from `.github/prompts/security-scan.md` to review the code changes.
+
+Report findings with severity ratings (Critical/High/Medium/Low/Informational) and suggested fixes.
+
+### For PR Reviews
+
+When reviewing a PR, deliver feedback using `/inline-pr-comments` to post inline comments on specific lines.
@@ -0,0 +1,86 @@
+---
+name: inline-pr-comments
+description: Post inline PR review comments on specific lines. Use this skill to deliver code review feedback as inline comments rather than a single summary.
+---
+
+# Inline PR Comments Skill
+
+Use this skill to post code review feedback as inline comments on specific lines in a PR.
+
+## When to Use
+
+- After completing a code review (use with /claude-review, /claude-security-review)
+- When you have specific line-by-line feedback to deliver
+- To make review feedback more actionable
+
+## Instructions
+
+Post a review with inline comments using `gh api`:
+
+```bash
+gh api repos/{owner}/{repo}/pulls/{pr_number}/reviews --input - << 'EOF'
+{
+  "event": "COMMENT",
+  "body": "Optional summary of overall findings",
+  "comments": [
+    {
+      "path": "path/to/file.ts",
+      "line": 42,
+      "body": "Issue description and suggested fix"
+    },
+    {
+      "path": "another/file.ts",
+      "start_line": 10,
+      "line": 15,
+      "body": "Multi-line comment spanning lines 10-15"
+    }
+  ]
+}
+EOF
+```
+
+### Comment Fields
+
+- `path` - File path relative to repo root
+- `line` - Line number in the NEW version of the file (right side of diff)
+- `start_line` + `line` - For comments spanning multiple lines
+- `body` - Markdown-formatted feedback
+
+### Limitations
+
+- Can only comment on lines that appear in the diff (changed/added lines)
+- Comments on unchanged lines will fail with "Line could not be resolved"
+
+### Handling Non-Diff Findings
+
+When you discover issues in code NOT changed by the PR:
+
+1. **Include in summary body** - Always report in the `"body"` field
+2. **Format clearly** - Use a dedicated section "## Observations Outside This PR"
+3. **Be actionable** - Include file:line references so author can follow up
+4. **Don't block** - These are informational; don't use `REQUEST_CHANGES` for non-diff issues
+
+Example structure:
+
+```json
+{
+  "event": "COMMENT",
+  "body": "## Review Summary\n[inline feedback summary]\n\n## Observations Outside This PR\nWhile reviewing, I noticed:\n- `src/utils/foo.ts:142`: Pre-existing null check missing\n- `src/core/bar.ts:78-82`: Similar pattern to line 45 issue - consider deduping",
+  "comments": [
+    // Only lines IN the diff
+  ]
+}
+```
+
+### Feedback Guidelines
+
+| Feedback Type                 | In Diff? | Where to Put It                                           |
+| ----------------------------- | -------- | --------------------------------------------------------- |
+| Specific code issue           | Yes      | Inline comment on that line                               |
+| Pattern repeated across files | Yes      | Inline on first occurrence + note "same issue in X, Y, Z" |
+| Related issue found           | No       | Summary body under "Observations Outside This PR"         |
+| Pre-existing bug discovered   | No       | Summary body (consider separate issue if critical)        |
+| Overall architecture concern  | N/A      | Summary body                                              |
+| Approval/changes requested    | N/A      | Use `event: "APPROVE"` or `event: "REQUEST_CHANGES"`      |
+
+Be concise. Group minor style issues together.
@@ -0,0 +1,44 @@
+Review this pull request. Focus on:
+
+## Code Quality
+
+- Logic errors and potential bugs
+- Error handling and edge cases
+- Code clarity and maintainability
+- Adherence to existing patterns in the codebase
+- **Use existing utilities** - Search codebase before adding new helpers
+- **Prefer `??` over `||`** - Preserves zero/empty string as valid values
+
+## Architecture
+
+- Consistency with existing architecture patterns
+- Breaking changes or backward compatibility issues
+- API contract changes
+- **Deduplicate** - Move repeated code/types to shared files
+- **Extract utilities** - Shared functions belong in utils packages
+
+## Testing
+
+- Test coverage for new/modified code
+- Edge cases that should be tested
+- **New utility functions need unit tests**
+
+## Performance
+
+- Unnecessary re-renders or computations
+- Bundle size impact of new dependencies
+
+## Frontend-Specific
+
+- **Use existing utilities** - Check `src/utils/` before adding (normalizeAddress, etc.)
+- **Chain-aware addresses** - Only lowercase EVM hex; Solana/Cosmos are case-sensitive
+- **CSP updates required** - New external scripts/styles need `next.config.js` CSP updates
+- **Avoid floating promises** - In useEffect, use IIFE or separate async function
+- **Use useQuery refetch** - Don't reinvent; use built-in refetch from TanStack Query
+- **Flatten rendering logic** - Avoid nested if; use early returns instead
+- **Zustand patterns** - Follow existing store patterns in `src/features/store.ts`
+- **Constants outside functions** - Move config/constants outside component functions
+
+Provide actionable feedback with specific line references.
+Be concise. For minor style issues, group them together.
+Security issues are handled by a separate dedicated review.
@@ -0,0 +1,38 @@
+## Frontend Security Focus Areas
+
+This is a Web3 frontend application. Pay special attention to:
+
+### XSS & Content Security
+- Input sanitization before rendering user data
+- Dangerous patterns: dangerouslySetInnerHTML, eval(), innerHTML
+- URL validation (javascript: protocol, data: URLs)
+- CSP headers and inline script risks
+
+### Web3 Wallet Security
+- Blind signature attacks (signing data without user understanding)
+- Transaction simulation before signing
+- Clear message display before signature requests
+- Proper origin/domain verification for wallet connections
+- **Chain-aware address validation** - EVM hex can lowercase; Solana base58/Cosmos bech32 are case-sensitive
+- **Don't collapse addresses** - Normalizing non-EVM addresses can create security issues
+
+### Dependency & Supply Chain
+- Known vulnerabilities in dependencies
+- Malicious packages, typosquatting
+- Outdated critical security packages
+
+### API & Token Security
+- CORS configuration
+- Token storage (avoid localStorage for sensitive tokens)
+- API key exposure in client-side code
+
+### Private Key Handling
+- NEVER expose private keys client-side
+- Check for hardcoded keys or mnemonics
+- Wallet connection patterns should not request keys
+
+### Content Security Policy
+- New external resources (scripts, styles, frames) need CSP header updates
+- Check `next.config.js` for script-src, style-src, connect-src, frame-src
+- Third-party integrations (Intercom, analytics, wallets) need explicit allowlisting
+- Test with CSP enabled in production mode
@@ -1,18 +1,15 @@
 name: ci
 
 on:
-  # Triggers the workflow on push or pull request events but only for the main branch
   push:
     branches: [main, nautilus, nexus, injective, trump, ousdt]
   pull_request:
     branches: [main, nautilus, nexus, injective, trump, ousdt]
   merge_group:
-
-  # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
 jobs:
-  install:
+  build:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -34,7 +31,7 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-pnpm-store-
 
-      - name: pnpm-install
+      - name: Install dependencies
         run: |
           pnpm install --frozen-lockfile
           CHANGES=$(git status -s)
@@ -44,9 +41,13 @@ jobs:
             exit 1
           fi
 
-  build:
+      - name: build
+        run: pnpm run build
+        env:
+          NEXT_PUBLIC_WALLET_CONNECT_ID: ${{ secrets.NEXT_PUBLIC_WALLET_CONNECT_ID }}
+
+  typecheck:
     runs-on: ubuntu-latest
-    needs: [install]
     steps:
       - uses: actions/checkout@v6
       - uses: pnpm/action-setup@v4
@@ -70,14 +71,11 @@ jobs:
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
-      - name: build
-        run: pnpm run build
-        env:
-          NEXT_PUBLIC_WALLET_CONNECT_ID: ${{ secrets.NEXT_PUBLIC_WALLET_CONNECT_ID }}
+      - name: typecheck
+        run: pnpm run typecheck
 
   prettier:
     runs-on: ubuntu-latest
-    needs: [install]
     steps:
       - uses: actions/checkout@v6
       - uses: pnpm/action-setup@v4
@@ -112,7 +110,6 @@ jobs:
 
   lint:
     runs-on: ubuntu-latest
-    needs: [install]
     steps:
       - uses: actions/checkout@v6
       - uses: pnpm/action-setup@v4
@@ -141,7 +138,6 @@ jobs:
 
   test:
     runs-on: ubuntu-latest
-    needs: [build]
     steps:
       - uses: actions/checkout@v6
       - uses: pnpm/action-setup@v4